This documentation says enabling this "FORCES" this logon method.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1134595
If it is forced, that means the user can only access VPN from a domain-joined computer and cannot connect to VPN from another PC for the pupose of connecting to remote desktop or non-public OWA webmail etc..
That will not be acceptable. Is there a way to make Start Before Logon and option so users don't have to use it, but is available as an option when needed? Some users only need this in case their domain account password expires or is reset wheile they are on the road and would not want to use this method every day or else need to use a personal computer not joined to the domain to access VPN.